<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="language" content="en" />
<link rel="stylesheet" type="text/css" href="css/style.css" />
<link rel="stylesheet" type="text/css" href="css/api.css" />
<script type="text/javascript" src="js/jquery.js"></script>
<title>CPasswordHelper</title>
</head>

<body>
<div id="apiPage">

<div id="apiHeader">
<a href="http://www.yiiframework.com">Yii Framework</a> v1.1.17 Class Reference
</div><!-- end of header -->

<div id="content">
<h1>CPasswordHelper</h1>
<div id="nav">
<a href="index.html">All Packages</a>
| <a href="#methods">Methods</a>
</div>

<table class="summaryTable docClass">
<colgroup>
	<col class="col-name" />
	<col class="col-value" />
</colgroup>
<tr>
  <th>Package</th>
  <td><a href="index.html#system.utils">system.utils</a></td>
</tr>
<tr>
  <th>Inheritance</th>
  <td>class CPasswordHelper</td>
</tr>
<tr>
  <th>Since</th>
  <td>1.1.14</td>
</tr>
<tr>
  <th>Source Code</th>
  <td><a class="sourceLink" href="https://github.com/yiisoft/yii/blob/1.1.17/framework/utils/CPasswordHelper.php">framework/utils/CPasswordHelper.php</a></td>
</tr>
</table>

<div id="classDescription">
CPasswordHelper provides a simple API for secure password hashing and verification.
<br/><br/>
CPasswordHelper uses the Blowfish hash algorithm available in many PHP runtime
environments through the PHP <a href="http://php.net/manual/en/function.crypt.php">crypt()</a>
built-in function. As of Dec 2012 it is the strongest algorithm available in PHP
and the only algorithm without some security concerns surrounding it. For this reason,
CPasswordHelper fails when run in an environment that does not have
crypt() with its Blowfish option and $2y hash fix. Compatible system is:
<br/><br/>
(1) Most *nix systems since PHP 4 (the algorithm is part of the library function crypt(3));
(2) Any PHP since 5.3.7 or PHP with the <a href="http://www.hardened-php.net/suhosin/">Suhosin patch</a> including
$2y fix backported. Note that Debian's 5.3.3 is not supported.
<br/><br/>
For more information about password hashing, crypt() and Blowfish, please read
the Yii Wiki article
<a href="http://www.yiiframework.com/wiki/425/use-crypt-for-password-storage/">Use crypt() for password storage</a>.
and the
PHP RFC <a href="http://wiki.php.net/rfc/password_hash">Adding simple password hashing API</a>.
<br/><br/>
CPasswordHelper throws an exception if the Blowfish hash algorithm is not
available in the runtime PHP's crypt() function. It can be used as follows
<br/><br/>
Generate a hash from a password:
<pre>
$hash = CPasswordHelper::hashPassword($password);
</pre>
This hash can be stored in a database (e.g. CHAR(60) CHARACTER SET latin1). The
hash is usually generated and saved to the database when the user enters a new password.
But it can also be useful to generate and save a hash after validating a user's
password in order to change the cost or refresh the salt.
<br/><br/>
To verify a password, fetch the user's saved hash from the database (into $hash) and:
<pre>
if (CPasswordHelper::verifyPassword($password, $hash))
    // password is good
else
    // password is bad
</pre></div>
<a name="properties"></a>

<a name="methods"></a>

<div class="summary docMethod">
<h2>Public Methods</h2>

<p><a href="#" class="toggle">Hide inherited methods</a></p>

<table class="summaryTable">
<colgroup>
	<col class="col-method" />
	<col class="col-description" />
	<col class="col-defined" />
</colgroup>
<tr>
  <th>Method</th><th>Description</th><th>Defined By</th>
</tr>
<tr id="generateSalt">
  <td><a href="CPasswordHelper.html#generateSalt-detail">generateSalt()</a></td>
  <td>Generates a salt that can be used to generate a password hash.</td>
  <td>CPasswordHelper</td>
</tr>
<tr id="hashPassword">
  <td><a href="CPasswordHelper.html#hashPassword-detail">hashPassword()</a></td>
  <td>Generate a secure hash from a password and a random salt.</td>
  <td>CPasswordHelper</td>
</tr>
<tr id="same">
  <td><a href="CPasswordHelper.html#same-detail">same()</a></td>
  <td>Check for sameness of two strings using an algorithm with timing</td>
  <td>CPasswordHelper</td>
</tr>
<tr id="verifyPassword">
  <td><a href="CPasswordHelper.html#verifyPassword-detail">verifyPassword()</a></td>
  <td>Verify a password against a hash.</td>
  <td>CPasswordHelper</td>
</tr>
</table>
</div>
<div class="summary docMethod">
<h2>Protected Methods</h2>

<p><a href="#" class="toggle">Hide inherited methods</a></p>

<table class="summaryTable">
<colgroup>
	<col class="col-method" />
	<col class="col-description" />
	<col class="col-defined" />
</colgroup>
<tr>
  <th>Method</th><th>Description</th><th>Defined By</th>
</tr>
<tr id="checkBlowfish">
  <td><a href="CPasswordHelper.html#checkBlowfish-detail">checkBlowfish()</a></td>
  <td>Check for availability of PHP crypt() with the Blowfish hash option.</td>
  <td>CPasswordHelper</td>
</tr>
</table>
</div>
<a name="events"></a>

<h2>Method Details</h2>

<div class="detailHeader" id="checkBlowfish-detail">
checkBlowfish()
<span class="detailHeaderTag">
method
</span>
</div>

<table class="summaryTable">
<tr><td colspan="3">
<div class="signature2">
protected static void <b>checkBlowfish</b>()</div>
</td></tr>
</table>

<div class="sourceCode">
<b>Source Code:</b> <a class="sourceLink" href="https://github.com/yiisoft/yii/blob/1.1.17/framework/utils/CPasswordHelper.php#L61">framework/utils/CPasswordHelper.php#61</a> (<b><a href="#" class="show">show</a></b>)
<div class="code"><code><span style="color: #000000">
<span style="color: #0000BB"></span><span style="color: #007700">protected&nbsp;static&nbsp;function&nbsp;</span><span style="color: #0000BB">checkBlowfish</span><span style="color: #007700">()<br />{<br />&nbsp;&nbsp;&nbsp;&nbsp;if(!</span><span style="color: #0000BB">function_exists</span><span style="color: #007700">(</span><span style="color: #DD0000">'crypt'</span><span style="color: #007700">))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw&nbsp;new&nbsp;</span><span style="color: #0000BB">CException</span><span style="color: #007700">(</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">t</span><span style="color: #007700">(</span><span style="color: #DD0000">'yii'</span><span style="color: #007700">,</span><span style="color: #DD0000">'{class}&nbsp;requires&nbsp;the&nbsp;PHP&nbsp;crypt()&nbsp;function.&nbsp;This&nbsp;system&nbsp;does&nbsp;not&nbsp;have&nbsp;it.'</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;array(</span><span style="color: #DD0000">'{class}'</span><span style="color: #007700">=&gt;</span><span style="color: #0000BB">__CLASS__</span><span style="color: #007700">)));<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;if(!</span><span style="color: #0000BB">defined</span><span style="color: #007700">(</span><span style="color: #DD0000">'CRYPT_BLOWFISH'</span><span style="color: #007700">)&nbsp;||&nbsp;!</span><span style="color: #0000BB">CRYPT_BLOWFISH</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw&nbsp;new&nbsp;</span><span style="color: #0000BB">CException</span><span style="color: #007700">(</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">t</span><span style="color: #007700">(</span><span style="color: #DD0000">'yii'</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #DD0000">'{class}&nbsp;requires&nbsp;the&nbsp;Blowfish&nbsp;option&nbsp;of&nbsp;the&nbsp;PHP&nbsp;crypt()&nbsp;function.&nbsp;This&nbsp;system&nbsp;does&nbsp;not&nbsp;have&nbsp;it.'</span><span style="color: #007700">,<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;array(</span><span style="color: #DD0000">'{class}'</span><span style="color: #007700">=&gt;</span><span style="color: #0000BB">__CLASS__</span><span style="color: #007700">)));<br />}</span>
</span>
</code></div>
</div>
<p>Check for availability of PHP crypt() with the Blowfish hash option.</p>


<div class="detailHeader" id="generateSalt-detail">
generateSalt()
<span class="detailHeaderTag">
method
</span>
</div>

<table class="summaryTable">
<tr><td colspan="3">
<div class="signature2">
public static string <b>generateSalt</b>(int $cost=13)</div>
</td></tr>
<tr>
  <td class="paramNameCol">$cost</td>
  <td class="paramTypeCol">int</td>
  <td class="paramDescCol">Cost parameter used by the Blowfish hash algorithm.</td>
</tr>
<tr>
  <td class="paramNameCol">{return}</td>
  <td class="paramTypeCol">string</td>
  <td class="paramDescCol">the random salt value.</td>
</tr>
</table>

<div class="sourceCode">
<b>Source Code:</b> <a class="sourceLink" href="https://github.com/yiisoft/yii/blob/1.1.17/framework/utils/CPasswordHelper.php#L181">framework/utils/CPasswordHelper.php#181</a> (<b><a href="#" class="show">show</a></b>)
<div class="code"><code><span style="color: #000000">
<span style="color: #0000BB"></span><span style="color: #007700">public&nbsp;static&nbsp;function&nbsp;</span><span style="color: #0000BB">generateSalt</span><span style="color: #007700">(</span><span style="color: #0000BB">$cost</span><span style="color: #007700">=</span><span style="color: #0000BB">13</span><span style="color: #007700">)<br />{<br />&nbsp;&nbsp;&nbsp;&nbsp;if(!</span><span style="color: #0000BB">is_numeric</span><span style="color: #007700">(</span><span style="color: #0000BB">$cost</span><span style="color: #007700">))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw&nbsp;new&nbsp;</span><span style="color: #0000BB">CException</span><span style="color: #007700">(</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">t</span><span style="color: #007700">(</span><span style="color: #DD0000">'yii'</span><span style="color: #007700">,</span><span style="color: #DD0000">'{class}::$cost&nbsp;must&nbsp;be&nbsp;a&nbsp;number.'</span><span style="color: #007700">,array(</span><span style="color: #DD0000">'{class}'</span><span style="color: #007700">=&gt;</span><span style="color: #0000BB">__CLASS__</span><span style="color: #007700">)));<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$cost</span><span style="color: #007700">=(int)</span><span style="color: #0000BB">$cost</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;if(</span><span style="color: #0000BB">$cost</span><span style="color: #007700">&lt;</span><span style="color: #0000BB">4&nbsp;</span><span style="color: #007700">||&nbsp;</span><span style="color: #0000BB">$cost</span><span style="color: #007700">&gt;</span><span style="color: #0000BB">31</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw&nbsp;new&nbsp;</span><span style="color: #0000BB">CException</span><span style="color: #007700">(</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">t</span><span style="color: #007700">(</span><span style="color: #DD0000">'yii'</span><span style="color: #007700">,</span><span style="color: #DD0000">'{class}::$cost&nbsp;must&nbsp;be&nbsp;between&nbsp;4&nbsp;and&nbsp;31.'</span><span style="color: #007700">,array(</span><span style="color: #DD0000">'{class}'</span><span style="color: #007700">=&gt;</span><span style="color: #0000BB">__CLASS__</span><span style="color: #007700">)));<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;if((</span><span style="color: #0000BB">$random</span><span style="color: #007700">=</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">app</span><span style="color: #007700">()-&gt;</span><span style="color: #0000BB">getSecurityManager</span><span style="color: #007700">()-&gt;</span><span style="color: #0000BB">generateRandomString</span><span style="color: #007700">(</span><span style="color: #0000BB">22</span><span style="color: #007700">,</span><span style="color: #0000BB">true</span><span style="color: #007700">))===</span><span style="color: #0000BB">false</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;if((</span><span style="color: #0000BB">$random</span><span style="color: #007700">=</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">app</span><span style="color: #007700">()-&gt;</span><span style="color: #0000BB">getSecurityManager</span><span style="color: #007700">()-&gt;</span><span style="color: #0000BB">generateRandomString</span><span style="color: #007700">(</span><span style="color: #0000BB">22</span><span style="color: #007700">,</span><span style="color: #0000BB">false</span><span style="color: #007700">))===</span><span style="color: #0000BB">false</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw&nbsp;new&nbsp;</span><span style="color: #0000BB">CException</span><span style="color: #007700">(</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">t</span><span style="color: #007700">(</span><span style="color: #DD0000">'yii'</span><span style="color: #007700">,</span><span style="color: #DD0000">'Unable&nbsp;to&nbsp;generate&nbsp;random&nbsp;string.'</span><span style="color: #007700">));<br />&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">sprintf</span><span style="color: #007700">(</span><span style="color: #DD0000">'$2y$%02d$'</span><span style="color: #007700">,</span><span style="color: #0000BB">$cost</span><span style="color: #007700">).</span><span style="color: #0000BB">strtr</span><span style="color: #007700">(</span><span style="color: #0000BB">$random</span><span style="color: #007700">,array(</span><span style="color: #DD0000">'_'</span><span style="color: #007700">=&gt;</span><span style="color: #DD0000">'.'</span><span style="color: #007700">,</span><span style="color: #DD0000">'~'</span><span style="color: #007700">=&gt;</span><span style="color: #DD0000">'/'</span><span style="color: #007700">));<br />}</span>
</span>
</code></div>
</div>
<p>Generates a salt that can be used to generate a password hash.
<br/><br/>
The PHP <a href="http://php.net/manual/en/function.crypt.php">crypt()</a> built-in function
requires, for the Blowfish hash algorithm, a salt string in a specific format:
 "$2y$" (in which the "y" may be replaced by "a" or "y" see PHP manual for details),
 a two digit cost parameter,
 "$",
 22 characters from the alphabet "./0-9A-Za-z".</p>


<div class="detailHeader" id="hashPassword-detail">
hashPassword()
<span class="detailHeaderTag">
method
</span>
</div>

<table class="summaryTable">
<tr><td colspan="3">
<div class="signature2">
public static string <b>hashPassword</b>(string $password, int $cost=13)</div>
</td></tr>
<tr>
  <td class="paramNameCol">$password</td>
  <td class="paramTypeCol">string</td>
  <td class="paramDescCol">The password to be hashed.</td>
</tr>
<tr>
  <td class="paramNameCol">$cost</td>
  <td class="paramTypeCol">int</td>
  <td class="paramDescCol">Cost parameter used by the Blowfish hash algorithm.
The higher the value of cost,
the longer it takes to generate the hash and to verify a password against it. Higher cost
therefore slows down a brute-force attack. For best protection against brute for attacks,
set it to the highest value that is tolerable on production servers. The time taken to
compute the hash doubles for every increment by one of $cost. So, for example, if the
hash takes 1 second to compute when $cost is 14 then then the compute time varies as
2^($cost - 14) seconds.</td>
</tr>
<tr>
  <td class="paramNameCol">{return}</td>
  <td class="paramTypeCol">string</td>
  <td class="paramDescCol">The password hash string, always 60 ASCII characters.</td>
</tr>
</table>

<div class="sourceCode">
<b>Source Code:</b> <a class="sourceLink" href="https://github.com/yiisoft/yii/blob/1.1.17/framework/utils/CPasswordHelper.php#L92">framework/utils/CPasswordHelper.php#92</a> (<b><a href="#" class="show">show</a></b>)
<div class="code"><code><span style="color: #000000">
<span style="color: #0000BB"></span><span style="color: #007700">public&nbsp;static&nbsp;function&nbsp;</span><span style="color: #0000BB">hashPassword</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">,</span><span style="color: #0000BB">$cost</span><span style="color: #007700">=</span><span style="color: #0000BB">13</span><span style="color: #007700">)<br />{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">self</span><span style="color: #007700">::</span><span style="color: #0000BB">checkBlowfish</span><span style="color: #007700">();<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$salt</span><span style="color: #007700">=</span><span style="color: #0000BB">self</span><span style="color: #007700">::</span><span style="color: #0000BB">generateSalt</span><span style="color: #007700">(</span><span style="color: #0000BB">$cost</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$hash</span><span style="color: #007700">=</span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">,</span><span style="color: #0000BB">$salt</span><span style="color: #007700">);<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;if(!</span><span style="color: #0000BB">is_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$hash</span><span style="color: #007700">)&nbsp;||&nbsp;(</span><span style="color: #0000BB">function_exists</span><span style="color: #007700">(</span><span style="color: #DD0000">'mb_strlen'</span><span style="color: #007700">)&nbsp;?&nbsp;</span><span style="color: #0000BB">mb_strlen</span><span style="color: #007700">(</span><span style="color: #0000BB">$hash</span><span style="color: #007700">,&nbsp;</span><span style="color: #DD0000">'8bit'</span><span style="color: #007700">)&nbsp;:&nbsp;</span><span style="color: #0000BB">strlen</span><span style="color: #007700">(</span><span style="color: #0000BB">$hash</span><span style="color: #007700">))&lt;</span><span style="color: #0000BB">32</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;throw&nbsp;new&nbsp;</span><span style="color: #0000BB">CException</span><span style="color: #007700">(</span><span style="color: #0000BB">Yii</span><span style="color: #007700">::</span><span style="color: #0000BB">t</span><span style="color: #007700">(</span><span style="color: #DD0000">'yii'</span><span style="color: #007700">,</span><span style="color: #DD0000">'Internal&nbsp;error&nbsp;while&nbsp;generating&nbsp;hash.'</span><span style="color: #007700">));<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">$hash</span><span style="color: #007700">;<br />}</span>
</span>
</code></div>
</div>
<p>Generate a secure hash from a password and a random salt.
<br/><br/>
Uses the
PHP <a href="http://php.net/manual/en/function.crypt.php">crypt()</a> built-in function
with the Blowfish hash option.</p>


<div class="detailHeader" id="same-detail">
same()
<span class="detailHeaderTag">
method
</span>
</div>

<table class="summaryTable">
<tr><td colspan="3">
<div class="signature2">
public static bool <b>same</b>(string $a, string $b)</div>
</td></tr>
<tr>
  <td class="paramNameCol">$a</td>
  <td class="paramTypeCol">string</td>
  <td class="paramDescCol">First subject string to compare.</td>
</tr>
<tr>
  <td class="paramNameCol">$b</td>
  <td class="paramTypeCol">string</td>
  <td class="paramDescCol">Second subject string to compare.</td>
</tr>
<tr>
  <td class="paramNameCol">{return}</td>
  <td class="paramTypeCol">bool</td>
  <td class="paramDescCol">true if the strings are the same, false if they are different or if
either is not a string.</td>
</tr>
</table>

<div class="sourceCode">
<b>Source Code:</b> <a class="sourceLink" href="https://github.com/yiisoft/yii/blob/1.1.17/framework/utils/CPasswordHelper.php#L150">framework/utils/CPasswordHelper.php#150</a> (<b><a href="#" class="show">show</a></b>)
<div class="code"><code><span style="color: #000000">
<span style="color: #0000BB"></span><span style="color: #007700">public&nbsp;static&nbsp;function&nbsp;</span><span style="color: #0000BB">same</span><span style="color: #007700">(</span><span style="color: #0000BB">$a</span><span style="color: #007700">,</span><span style="color: #0000BB">$b</span><span style="color: #007700">)<br />{<br />&nbsp;&nbsp;&nbsp;&nbsp;if(!</span><span style="color: #0000BB">is_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$a</span><span style="color: #007700">)&nbsp;||&nbsp;!</span><span style="color: #0000BB">is_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$b</span><span style="color: #007700">))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$mb</span><span style="color: #007700">=</span><span style="color: #0000BB">function_exists</span><span style="color: #007700">(</span><span style="color: #DD0000">'mb_strlen'</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$length</span><span style="color: #007700">=</span><span style="color: #0000BB">$mb&nbsp;</span><span style="color: #007700">?&nbsp;</span><span style="color: #0000BB">mb_strlen</span><span style="color: #007700">(</span><span style="color: #0000BB">$a</span><span style="color: #007700">,</span><span style="color: #DD0000">'8bit'</span><span style="color: #007700">)&nbsp;:&nbsp;</span><span style="color: #0000BB">strlen</span><span style="color: #007700">(</span><span style="color: #0000BB">$a</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;if(</span><span style="color: #0000BB">$length</span><span style="color: #007700">!==(</span><span style="color: #0000BB">$mb&nbsp;</span><span style="color: #007700">?&nbsp;</span><span style="color: #0000BB">mb_strlen</span><span style="color: #007700">(</span><span style="color: #0000BB">$b</span><span style="color: #007700">,</span><span style="color: #DD0000">'8bit'</span><span style="color: #007700">)&nbsp;:&nbsp;</span><span style="color: #0000BB">strlen</span><span style="color: #007700">(</span><span style="color: #0000BB">$b</span><span style="color: #007700">)))<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$check</span><span style="color: #007700">=</span><span style="color: #0000BB">0</span><span style="color: #007700">;<br />&nbsp;&nbsp;&nbsp;&nbsp;for(</span><span style="color: #0000BB">$i</span><span style="color: #007700">=</span><span style="color: #0000BB">0</span><span style="color: #007700">;</span><span style="color: #0000BB">$i</span><span style="color: #007700">&lt;</span><span style="color: #0000BB">$length</span><span style="color: #007700">;</span><span style="color: #0000BB">$i</span><span style="color: #007700">+=</span><span style="color: #0000BB">1</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$check</span><span style="color: #007700">|=(</span><span style="color: #0000BB">ord</span><span style="color: #007700">(</span><span style="color: #0000BB">$a</span><span style="color: #007700">[</span><span style="color: #0000BB">$i</span><span style="color: #007700">])^</span><span style="color: #0000BB">ord</span><span style="color: #007700">(</span><span style="color: #0000BB">$b</span><span style="color: #007700">[</span><span style="color: #0000BB">$i</span><span style="color: #007700">]));<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">$check</span><span style="color: #007700">===</span><span style="color: #0000BB">0</span><span style="color: #007700">;<br />}</span>
</span>
</code></div>
</div>
<p>Check for sameness of two strings using an algorithm with timing
independent of the string values if the subject strings are of equal length.
<br/><br/>
The function can be useful to prevent timing attacks. For example, if $a and $b
are both hash values from the same algorithm, then the timing of this function
does not reveal whether or not there is a match.
<br/><br/>
NOTE: timing is affected if $a and $b are different lengths or either is not a
string. For the purpose of checking password hash this does not reveal information
useful to an attacker.</p>

<div class="SeeAlso">
<h4>See Also</h4>
<ul>
	<li><a href="http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/">http://blog.astrumfutura.com/2010/10/nanosecond-scale-remote-timing-attacks-on-php-applications-time-to-take-them-seriously/</a></li>
	<li><a href="http://codereview.stackexchange.com/questions/13512">http://codereview.stackexchange.com/questions/13512</a></li>
	<li><a href="https://github.com/ircmaxell/password_compat/blob/master/lib/password.php">https://github.com/ircmaxell/password_compat/blob/master/lib/password.php</a></li>
</ul>
</div>

<div class="detailHeader" id="verifyPassword-detail">
verifyPassword()
<span class="detailHeaderTag">
method
</span>
</div>

<table class="summaryTable">
<tr><td colspan="3">
<div class="signature2">
public static bool <b>verifyPassword</b>(string $password, string $hash)</div>
</td></tr>
<tr>
  <td class="paramNameCol">$password</td>
  <td class="paramTypeCol">string</td>
  <td class="paramDescCol">The password to verify. If password is empty or not a string, method will return false.</td>
</tr>
<tr>
  <td class="paramNameCol">$hash</td>
  <td class="paramTypeCol">string</td>
  <td class="paramDescCol">The hash to verify the password against.</td>
</tr>
<tr>
  <td class="paramNameCol">{return}</td>
  <td class="paramTypeCol">bool</td>
  <td class="paramDescCol">True if the password matches the hash.</td>
</tr>
</table>

<div class="sourceCode">
<b>Source Code:</b> <a class="sourceLink" href="https://github.com/yiisoft/yii/blob/1.1.17/framework/utils/CPasswordHelper.php#L112">framework/utils/CPasswordHelper.php#112</a> (<b><a href="#" class="show">show</a></b>)
<div class="code"><code><span style="color: #000000">
<span style="color: #0000BB"></span><span style="color: #007700">public&nbsp;static&nbsp;function&nbsp;</span><span style="color: #0000BB">verifyPassword</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$hash</span><span style="color: #007700">)<br />{<br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">self</span><span style="color: #007700">::</span><span style="color: #0000BB">checkBlowfish</span><span style="color: #007700">();<br />&nbsp;&nbsp;&nbsp;&nbsp;if(!</span><span style="color: #0000BB">is_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">)&nbsp;||&nbsp;</span><span style="color: #0000BB">$password</span><span style="color: #007700">===</span><span style="color: #DD0000">''</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!</span><span style="color: #0000BB">$password&nbsp;</span><span style="color: #007700">||&nbsp;!</span><span style="color: #0000BB">preg_match</span><span style="color: #007700">(</span><span style="color: #DD0000">'{^\$2[axy]\$(\d\d)\$[\./0-9A-Za-z]{22}}'</span><span style="color: #007700">,</span><span style="color: #0000BB">$hash</span><span style="color: #007700">,</span><span style="color: #0000BB">$matches</span><span style="color: #007700">)&nbsp;||<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$matches</span><span style="color: #007700">[</span><span style="color: #0000BB">1</span><span style="color: #007700">]&lt;</span><span style="color: #0000BB">4&nbsp;</span><span style="color: #007700">||&nbsp;</span><span style="color: #0000BB">$matches</span><span style="color: #007700">[</span><span style="color: #0000BB">1</span><span style="color: #007700">]&gt;</span><span style="color: #0000BB">31</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;</span><span style="color: #0000BB">$test</span><span style="color: #007700">=</span><span style="color: #0000BB">crypt</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">,</span><span style="color: #0000BB">$hash</span><span style="color: #007700">);<br />&nbsp;&nbsp;&nbsp;&nbsp;if(!</span><span style="color: #0000BB">is_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$test</span><span style="color: #007700">)&nbsp;||&nbsp;</span><span style="color: #0000BB">strlen</span><span style="color: #007700">(</span><span style="color: #0000BB">$test</span><span style="color: #007700">)&lt;</span><span style="color: #0000BB">32</span><span style="color: #007700">)<br />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">false</span><span style="color: #007700">;<br /><br />&nbsp;&nbsp;&nbsp;&nbsp;return&nbsp;</span><span style="color: #0000BB">self</span><span style="color: #007700">::</span><span style="color: #0000BB">same</span><span style="color: #007700">(</span><span style="color: #0000BB">$test</span><span style="color: #007700">,&nbsp;</span><span style="color: #0000BB">$hash</span><span style="color: #007700">);<br />}</span>
</span>
</code></div>
</div>
<p>Verify a password against a hash.</p>


</div><!-- end of content -->

<div id="apiFooter">
&copy; 2008-2013 by <a href="http://www.yiisoft.com">Yii Software LLC</a><br/>
All Rights Reserved.<br/>
</div><!-- end of footer -->

<script type="text/javascript">
/*<![CDATA[*/
$("a.toggle").toggle(function(){
	$(this).text($(this).text().replace(/Hide/,'Show'));
	$(this).parents(".summary").find(".inherited").hide();
},function(){
	$(this).text($(this).text().replace(/Show/,'Hide'));
	$(this).parents(".summary").find(".inherited").show();
});
$(".sourceCode a.show").toggle(function(){
	$(this).text($(this).text().replace(/show/,'hide'));
	$(this).parents(".sourceCode").find("div.code").show();
},function(){
	$(this).text($(this).text().replace(/hide/,'show'));
	$(this).parents(".sourceCode").find("div.code").hide();
});
$("a.sourceLink").click(function(){
	$(this).attr('target','_blank');
});
/*]]>*/
</script>

</div><!-- end of page -->
</body>
</html>